1. Field of the Invention
The present invention is related to antimalware systems, and more particularly, to methods of generation and optimization of heuristic scenarios for detection of malicious applications and objects.
2. Description of the Related Art
At the present time, the incidence of malware continues to increase. Similarly, the damage caused by malware also continues to increase. Existing computer anti-virus and antimalware systems, particularly those found in corporate networks, primarily rely on identification and detection of known malware threats. However, new threats appear with increasing frequency, and therefore, the problem of detecting and identifying previously unknown threats becomes ever more urgent. With the growth of communication networks, such as the Internet, the need for data exchange, such as through email or file sharing, leads to an ever increasing incidence of infection of computer systems with viruses and other malicious objects.
A number of different types of malware exists, such as Trojans, worms, viruses, links that lead to webpages with malicious programs, vulnerabilities in licensed software and so on. Other examples include malicious applications that cause financial crimes (crimeware), spyware, ransomware, and so on. At the present time, the number of different malicious programs continues to grow, which is due to the fact that the number of personal computers connected to networks continues to grow. Also, there has been a dramatic growth in online services, which also attracts fraudsters and criminals.
At the same time, the capabilities of anti-virus software vendors—both in terms of the equipment available to process new threats, as well as in terms of human experts available to analyze the threats—is finite, and it is impractical to increase these capabilities at a rate commensurate with the increase in the threats.
As the number of new users of the Internet increases, the vulnerabilities due to such malware also increases. Also, as the number of various services available online such as internet banking, virtual money (e.g., webmoney), journals and blogs, online applications, such as Google apps, also leads to increased opportunities for fraudsters and malware creators to practice their art.
The current generation of spammers and hackers is highly skilled in exploiting vulnerabilities in the software, since most of these are professionals with a high degree of computer skills, particularly where it comes to organizing network attacks, extracting money or financial information from witting or unwitting victims. Their activity frequently touches upon not just the banking industry, but also fraud through a technique called Trojan-Ransom, and similar types of attacks. The success of such fraudsters and criminals is at least in part due to various factors such as insufficient protection level of many network based resources, weak or nonexistent laws on the subject of computer crime in many countries, and a lack of awareness or sufficient level of computer illiteracy in many people who utilize computers that are connected to the internet.
It should be noted that conventional methods of combating malware, such as viruses, worms, Trojans, and so on, typically use signatures and heuristic methodologies, and have, for all practical purposed, reached their limits at this time. The traditional signature analysis still permits to quickly and accurately identify a malicious application, but only if the malicious application is already known. The signatures themselves are constantly updated (at this time, this is frequently done on an hourly basis), which has one obvious drawback—such a protection mechanism gives the malware source a substantial amount of time to distribute malicious applications. From the time that the malicious application begins to be distributed, until the anti-virus vender receives it, analyzes, adds it to the signature database, tests a solution to it, and then publishes it on its server, many hours or sometimes days can pass. The problem is even more acute at times because not every step of the process can be automated, and some steps still require manual involvement by human experts.
Heuristic analysis is based on detection of certain features that are frequently characteristic of malicious software (such as specific code fragments, attempts to access registry keys, file names or processes), however, development and testing of each heuristic scenario is a time consuming process. Additionally, there is frequently a risk of false positives with this method. The effectiveness of such heuristic methods is rarely higher than 60-70% (i.e., the percentage of detection of unknown malware at the time of their first appearance).
In the event of infection of a computer by a malicious application, there are a number of known approaches to addressing the infection. Typically, such an approach is based on the anti-virus vendor's server sending certain information to the client computer. An example of such a solution using known templates is discussed in U.S. Pat. No. 7,346,928, which describes a system consisting of a server that receives requests from multiple clients for an anti-virus check of their files. Other known systems first generate a scenario for checking a computer for infection, and, based on the analysis of the infection, a cure solution is generated. U.S. Pat. No. 7,093,239 describes a system for analysis of a computer for the presence of malicious code. Such a system generates a template for behavior of each application, and then analyzes the applications for those with behavior whose characteristics match those of a malicious application. However, the conventional approach frequently overloads the network due to a large number of clients requesting resources from the server, and due to a large number of new applications that require analysis.
A review of the conventional techniques shows that existing techniques are not designed for a high rate of growth in the number of new applications, and, as a consequence, are unable to provide a satisfactory level of detection of malicious applications. A new approach to the use of heuristic algorithms is necessary that permits to increase the rate of detection of malicious applications by generating an optimizing new heuristic scenario of malware detection and identification.
Accordingly, there is a need in the art for a system and method for automated generation of heuristic scripted algorithms for more efficient malware detection.